Katherine Archuleta, director of the Office of Personnel Management, resigned Friday in the wake of the agency’s announcement that 21.5 million current, former and prospective government employees and contractors were affected by a recent data breach, a tally higher than it initially expected. Among the stolen data were employment histories, addresses, fingerprints and Social Security numbers – and those nine digits carry their own boatload of information about us.
These days, employers, banks, doctors — possibly even your kids’ soccer team — might ask for your Social Security number. But that wasn’t the original idea.
“When they started this system, there was this big room in downtown Baltimore, Maryland, that had files, literally files, which had everybody’s Social Security record,” says Edward Berkowitz, a history professor at George Washington University. He says Social Security numbers were created in the 1930s to simply track how much people were paying into the system. In the 1960s, they were added to income tax returns. Since then the number of places that use the numbers has gradually ballooned.
“The cat’s out of the bag,” says Zeynep Tufekci, an assistant professor at University of North Carolina at Chapel Hill. “There are so many stolen databases of Social Security numbers out there, that the idea that it’s a private piece of information is frankly, it’s ridiculous.”
Tufekci thinks we should have stopped using Social Security numbers as identifiers about a decade ago.
But if not Social Security numbers – then what?
“The problem with Social Security, as with many other so-called universal identifiers, is that they’re used in many different settings,” says Marc Rotenberg, with the Electronic Privacy Information Center. “So if they get breached in one setting, the practical consequence is that they’ve been breached in all settings.”
The same way using one password for all your online account is asking for trouble, Rotenberg says we’d be better off with different numbers for different purposes.
He adds the rule for governments and companies alike should be if you can’t protect it, don’t collect it.